Rate limiting + per-user quotas
Demonstrate that rate limiting and per-user quota mechanisms are consistently enforced across all application entry points to prevent resource exhaustion and abusive request patterns.
Description
What this control does
Rate limiting restricts the number of requests a user, IP address, or session can make to an application or API within a defined time window (e.g., 100 requests per minute). Per-user quotas enforce resource consumption limits tailored to individual accounts or subscription tiers, preventing any single actor from monopolizing system capacity. This control protects application availability and performance by throttling excessive activity, whether malicious (credential stuffing, denial of service) or unintentional (poorly configured automation). Implementation typically involves API gateways, web application firewalls, or application-layer middleware that track request counts and enforce limits through temporary blocking or delayed responses.
Control objective
What auditing this proves
Demonstrate that rate limiting and per-user quota mechanisms are consistently enforced across all application entry points to prevent resource exhaustion and abusive request patterns.
Associated risks
Risks this control addresses
- Credential stuffing or brute-force authentication attacks succeed due to unlimited login attempt rates
- Distributed denial-of-service (DDoS) attacks overwhelm application resources by flooding endpoints with requests
- API abuse by automated scrapers or malicious bots degrades service performance for legitimate users
- Resource exhaustion from a single compromised account or runaway script consumes infrastructure capacity
- Lack of per-user quotas enables one customer to monopolize multi-tenant system resources affecting other tenants
- Enumeration attacks (user discovery, data mining) proceed unchecked without request throttling
- Business logic abuse exploits unlimited transaction rates to manipulate pricing, inventory, or promotional systems
Testing procedure
How an auditor verifies this control
- Inventory all externally accessible application endpoints, APIs, and authentication interfaces subject to rate limiting controls.
- Review architectural documentation and configuration files for API gateways, WAFs, load balancers, or application middleware to identify rate limiting and quota enforcement mechanisms.
- Extract and document configured rate limits (requests per time window) and per-user quotas for each endpoint category (authentication, data retrieval, transactions).
- Select a representative sample of critical endpoints (login pages, API authentication, high-value transactions) for functional testing.
- Execute controlled rate-limit testing by scripting requests exceeding configured thresholds and verify that throttling or blocking occurs at the expected limit.
- Authenticate as test users with different quota tiers and verify that usage limits are enforced according to assigned quotas through successive API calls.
- Review application logs and monitoring dashboards for evidence of rate limit enforcement events, including timestamps, user identifiers, blocked requests, and reset intervals.
- Interview development and operations teams to confirm rate limiting policies align with documented security requirements and business risk assessments.
Where this control is tested